House Hearing, 110TH Congress - Protecting Patient Privacy in Healthcare Information Systems

PROTECTING PATIENT PRIVACY IN HEALTHCARE
INFORMATION SYSTEMS
HEARING
BEFORE THE
SUBCOMMITTEE ON INFORMATION POLICY,

CENSUS, AND NATIONAL ARCHIVES
OF THE
COMMITTEE ON OVERSIGHT
AND GOVERNMENT REFORM
HOUSE OF REPRESENTATIVES
ONE HUNDRED TENTH CONGRESS
FIRST SESSION
JUNE 19, 2007
Serial No. 11033

Printed for the use of the Committee on Oversight and Government Reform
(
Available via the World Wide Web: http://www.gpoaccess.gov/congress/index.html
http://www.oversight.house.gov
U.S. GOVERNMENT PRINTING OFFICE
WASHINGTON
39023 PDF
2008
For sale by the Superintendent of Documents, U.S. Government Printing Office

Internet: bookstore.gpo.gov Phone: toll free (866) 5121800; DC area (202) 5121800
Fax: (202) 5122104 Mail: Stop IDCC, Washington, DC 204020001
VerDate 11-MAY-2000
14:45 Jan 14, 2008
Jkt 000000
PO 00000
Frm 00001
Fmt 5011
Sfmt 5011
C:\DOCS\39023.TXT
HGOVREF1
PsN: HGOVREF1
COMMITTEE ON OVERSISGHT AND GOVERNMENT REFORM

HENRY A. WAXMAN, California, Chairman
TOM LANTOS, California
TOM DAVIS, Virginia
EDOLPHUS TOWNS, New York
DAN BURTON, Indiana
PAUL E. KANJORSKI, Pennsylvania
CHRISTOPHER SHAYS, Connecticut
CAROLYN B. MALONEY, New York
JOHN M. MCHUGH, New York
JOHN L. MICA, Florida
ELIJAH E. CUMMINGS, Maryland
MARK E. SOUDER, Indiana
DENNIS J. KUCINICH, Ohio
TODD RUSSELL PLATTS, Pennsylvania
DANNY K. DAVIS, Illinois
CHRIS CANNON, Utah
JOHN F. TIERNEY, Massachusetts
JOHN J. DUNCAN, JR., Tennessee
WM. LACY CLAY, Missouri
MICHAEL R. TURNER, Ohio
DIANE E. WATSON, California
DARRELL E. ISSA, California
STEPHEN F. LYNCH, Massachusetts
KENNY MARCHANT, Texas
BRIAN HIGGINS, New York
LYNN A. WESTMORELAND, Georgia
JOHN A. YARMUTH, Kentucky
PATRICK T. MCHENRY, North Carolina
BRUCE L. BRALEY, Iowa
VIRGINIA FOXX, North Carolina
ELEANOR HOLMES NORTON, District of
BRIAN P. BILBRAY, California
Columbia
BILL SALI, Idaho
BETTY MCCOLLUM, Minnesota
JIM COOPER, Tennessee
JIM JORDAN, Ohio
CHRIS VAN HOLLEN, Maryland
PAUL W. HODES, New Hampshire
CHRISTOPHER S. MURPHY, Connecticut
JOHN P. SARBANES, Maryland
PETER WELCH, Vermont
PHIL SCHILIRO, Chief of Staff
PHIL BARNETT, Staff Director
EARLEY GREEN, Chief Clerk
DAVID MARIN, Minority Staff Director
SUBCOMMITTEE
ON
INFORMATION POLICY, CENSUS,
AND
NATIONAL ARCHIVES
WM. LACY CLAY, Missouri, Chairman

PAUL E. KANJORSKI, Pennsylvania
MICHAEL R. TURNER, Ohio
CAROLYN B. MALONEY, New York
CHRIS CANNON, Utah
JOHN A. YARMUTH, Kentucky
BILL SALI, Idaho
PAUL W. HODES, New Hampshire
TONY HAYWOOD, Staff Director
(II)
VerDate 11-MAY-2000
14:45 Jan 14, 2008
Jkt 000000
PO 00000
Frm 00002
Fmt 5904
Sfmt 5904
C:\DOCS\39023.TXT
HGOVREF1
PsN: HGOVREF1
CONTENTS
Page
Hearing held on June 19, 2007 ...............................................................................

Statement of:
Grealy, Mary R., president, Healthcare Leadership Council; Byron
Pickard, president, American Health Information Management Association; and Peter Swire, senior fellow, Center for American Progress ........
Grealy, Mary R. .........................................................................................
Pickard, Byron ...........................................................................................
Swire, Peter ...............................................................................................
Melvin, Valerie C., Director of Information Management Issues, Government Accountability Office, accompanied by Linda D. Koontz, Director
for Information Management Issues, Government Accountability Office
Letters, statements, etc., submitted for the record by:
Clay, Hon. Wm. Lacy, a Representative in Congress from the State of
Missouri, prepared statement of ..................................................................
Grealy, Mary R., president, Healthcare Leadership Council, prepared
statement of ...................................................................................................
Hodes, Hon. Paul W., a Representative in Congress from the State of
New Hampshire, prepared statement of .....................................................
Melvin, Valerie C., Director of Information Management Issues, Government Accountability Office, prepared statement of ....................................
Pickard, Byron, president, American Health Information Management
Association, prepared statement of .............................................................
Swire, Peter, senior fellow, Center for American Progress, prepared statement of ...........................................................................................................
41
41
63
86
6
3
43
34
8
65
88
(III)
VerDate 11-MAY-2000
14:45 Jan 14, 2008
Jkt 000000
PO 00000
Frm 00003
Fmt 5904
Sfmt 5904
C:\DOCS\39023.TXT
HGOVREF1
PsN: HGOVREF1
VerDate 11-MAY-2000
14:45 Jan 14, 2008
Jkt 000000
PO 00000
Frm 00004
Fmt 5904
Sfmt 5904
C:\DOCS\39023.TXT
HGOVREF1
PsN: HGOVREF1
PROTECTING PATIENT PRIVACY IN

HEALTHCARE INFORMATION SYSTEMS
TUESDAY, JUNE 19, 2007
HOUSE OF REPRESENTATIVES,
ON INFORMATION POLICY, CENSUS, AND
NATIONAL ARCHIVES,
COMMITTEE ON OVERSIGHT AND GOVERNMENT REFORM,
SUBCOMMITTEE
Washington, DC.
The subcommittee met, pursuant to notice, at 2 p.m. in room
2154, Rayburn House Office Building, Hon. Wm. Lacy Clay (chairman of the subcommittee) presiding.
Present: Representatives Clay, Maloney, Hodes, and Turner.
Staff present: Tony Haywood, staff director/counsel; Jean Gosa,
clerk; Adam C. Bordes, professional staff member; Nidia Salazar,
staff assistant; Charles Phillips, minority counsel; Allyson
Blandford, minority professional staff member; Patrick Lyden, minority parliamentarian and member services coordinator; and Benjamin Chance, minority clerk.
Mr. CLAY. The Subcommittee on Information Policy, Census, and
National Archives will come to order.
Let me begin by saying good afternoon and welcome to todays
hearing on efforts to protect the privacy of personal health information in electronic health care information systems.
The use of IT to store, share, and secure electronic health information has expanded rapidly in recent years. Many insurers and
hospitals have already transitioned from paper-based records to
electronic medical record systems for exchanging patient data. This
has brought important benefits to both patients and providers, including shorter hospital stays, improved management of chronic
disease, and fewer redundant tests and examinations.
Americans have expressed legitimate concerns, however, about
the potential for improper disclosure of personally identifiable
health care information. Before they will fully embrace the benefits
and efficiencies of e-health solutions, patients must be confident
that personal information in electronic format is as secure and private as information in paper records.
A nationwide health information network promises tremendous
benefits for patients. For 3 years the Department of Health and
Human Services has been working to make the idea technically
and economically feasible. Unfortunately, a January 2007 GAO report found that HHS was not doing enough to integrate effective
privacy safeguards into its long-term national strategy for health
IT. Varying health IT privacy standards in different States are another area of concern.
(1)
VerDate 11-MAY-2000
14:45 Jan 14, 2008
Jkt 000000
PO 00000
Frm 00005
Fmt 6633
Sfmt 6633
C:\DOCS\39023.TXT
HGOVREF1
PsN: HGOVREF1
2
While the enactment of the Health Insurance Portability and Accountability Act [HIPAA], in 1996 was an important step forward,
it has left patients with disparate privacy protections. I believe we
should amend HIPAA to extend the most effective and practical
privacy safeguards to everyone.
I introduced bipartisan legislation in the 109th Congress which
proposed to establish a framework for a uniform national health
privacy standard. Giving patients greater personal control over
their health information is critical; therefore, putting in place
stricter notice and consent requirements for all third-party disclosures and information sharing activities is an important legislative
objective for Congress to achieve.
Todays hearing will allow different perspectives on these issues
to be aired as we move toward implementing a national health care
information network.
I must say that I am disappointed that HHS was unable to supply a suitable witness to appear today on behalf of the administration, but the Department has submitted written testimony for todays hearing, and I will ask GAO and our other witnesses to respond to positions stated in that testimony.
I look forward to the testimony of all of our witnesses.
[The prepared statement of Hon. Wm. Lacy Clay follows:]
VerDate 11-MAY-2000
14:45 Jan 14, 2008
Jkt 000000
PO 00000
Frm 00006
Fmt 6633
Sfmt 6633
C:\DOCS\39023.TXT
HGOVREF1
PsN: HGOVREF1
VerDate 11-MAY-2000
14:45 Jan 14, 2008
Jkt 000000
PO 00000
Frm 00007
Fmt 6633
Sfmt 6633
C:\DOCS\39023.TXT
HGOVREF1
PsN: HGOVREF1
VerDate 11-MAY-2000
14:45 Jan 14, 2008
Jkt 000000
PO 00000
Frm 00008
Fmt 6633
Sfmt 6633
C:\DOCS\39023.TXT
HGOVREF1
PsN: HGOVREF1
5
Mr. CLAY. I assume when the ranking member gets here he will
have an opening statement and we will yield to him for that, but
for now we will proceed with the hearing.
If we dont have any additional statements, the subcommittee
will now hear testimony from the witnesses before us today.
On our first panel we will hear from Valerie C. Melvin, Director
for Human Capital and Management Information Systems Issues
at GAO. Welcome, Ms. Melvin.
Accompanying Ms. Melvin is Linda D. Koontz, Director for Information Management Issues at GAO. Welcome to you.
Ms. Melvin will deliver GAOs formal testimony, and both will respond to questions.
Thank you for appearing before the committee today. It is the
policy of the Committee on Oversight and Government Reform to
swear in all witnesses before they testify. Will you both please
stand and raise your right hands?
[Witnesses sworn.]
Mr. CLAY. Let the record reflect that the witnesses answered in
the affirmative.
Ms. Melvin, you will have 5 minutes to make an opening statement. Your complete written testimony will be included in the
hearing record.
The lighting system and the timing system does not work, so we
will notify you probably through the use of the gavel when you get
close to the 5-minute time limit.
Mr. Turner, thank you for being here.
Mr. TURNER. Mr. Chairman, thank you.
Mr. CLAY. OK. And you may, if you have an opening statement,
you may proceed, sir.
Mr. TURNER. Thank you, Mr. Chairman. I appreciate that and I
apologize for my being late.
I want to thank you for holding this important hearing on privacy concerns and health information technology. Many health care
experts agree that investing in health information technology will
dramatically improve patient care while simultaneously decreasing
health care costs.
For example, Kettering Medical Center in my District and its
partners have created the Dayton Individual Health Record Pilot
Project, IHR. The Dayton IHR pilot combines a patients health information from different sources and presents that information to
patients, doctors, and other health care professionals in a format
that helps all health participants make efficient, appropriate decisions about their care options.
The Dayton IHR is a Web-based record that allows a patient to
access their information from their home, the office, or even if the
patient ends up in an emergency room in another town.
While it is important that technology like the Dayton IHR be
made available, it should not be available at the sacrifice of patient
privacy and security. The Dayton IHR ensures that only the patient and the physicians granted access by the patient can look at
the information within the IHR.
This subcommittee has previously discussed privacy concerns in
relation to Federal IT infrastructures, and I expressed my concerns
VerDate 11-MAY-2000
14:45 Jan 14, 2008
Jkt 000000
PO 00000
Frm 00009
Fmt 6633
Sfmt 6633
C:\DOCS\39023.TXT
HGOVREF1
PsN: HGOVREF1
6
with how IT breaches affect individuals, as well as national security.
Health care raises unique privacy concerns, but I am interested
to learn how we can work with all stakeholders to address important privacy issues and facilitate the adoption of health IT. Health
IT holds the promise of increasing the quality of health care, as
well as decreasing health care costs for American families. We
must be careful, however, to reach these goals without sacrificing
the security of professional health information.
I look forward to hearing the information from todays witnesses
on this important topic, and I yield back the remainder of my time.
Thank you.
Mr. CLAY. Thank you so much, Mr. Turner.
We will begin with Ms. Melvin.
You may proceed.
STATEMENT OF VALERIE C. MELVIN, DIRECTOR OF INFORMATION MANAGEMENT ISSUES, GOVERNMENT ACCOUNTABILITY OFFICE, ACCOMPANIED BY LINDA D. KOONTZ, DIRECTOR FOR INFORMATION MANAGEMENT ISSUES, GOVERNMENT ACCOUNTABILITY OFFICE
Ms. MELVIN. Thank you, Mr. Chairman and Ranking Member

Turner.
We are pleased to be here today to testify on privacy issues associated with efforts to increase the use of information technology in
the health care industry. As noted, with me today is Linda Koontz,
Director of Information Management Issues, who is responsible for
GAOs privacy work.
In 2004 President Bush issued an Executive order that called for
widespread adoption of interoperable electronic health records by
2014 and established a National Coordinator for Health IT to lead
and foster public/private coordination.
The benefits of health IT are immense, and include reducing
medical errors and improving public health emergency response.
However, the increasing use of technology also raises concerns regarding the extent to which patient privacy is protected. The challenge is to strike the right balance between patient privacy concerns and the numerous benefits that IT has to offer.
Over the past few years, we have issued reports and testified numerous times on HHS efforts toward defining a national health IT
strategy. Among these reports, one issued last January highlighted
HHS health IT privacy initiatives. Today, as requested, I will summarize the results of that study, highlighting three points: the importance of having a comprehensive privacy approach, HHS initial
efforts to address privacy as part of its national health IT strategy,
and additional efforts needed.
Privacy is a major concern in the health care industry, given the
sensitivity of certain medical information and the complexity of the
health care delivery system, with its numerous players and extensive information exchange requirements. This concern increases
with the transition to using more electronic health records. A comprehensive privacy approach is needed to determine how personally
identifiable information will be disclosed, used, and protected.
VerDate 11-MAY-2000
14:45 Jan 14, 2008
Jkt 000000
PO 00000
Frm 00010
Fmt 6633
Sfmt 6633
C:\DOCS\39023.TXT
HGOVREF1
PsN: HGOVREF1
7
HHS acknowledges in its national health IT framework the need
to protect consumer privacy, and it plans to develop and implement
privacy and security policies, practices, and standards for electronic
health information exchange. To this end, HHS and its Office of the
National Coordinator have initiated several efforts, including
awarding contracts, including one for privacy and security solutions; consulting with the National Committee on Vital and Health
Statistics to develop privacy recommendations; and forming a confidentiality, privacy, and security work group to identify and address privacy and security policy issues.
Ultimately, the National Coordinators Office intends to use the
results of these initiatives to identify policy and technical solutions
for protecting personal health information as part of its continuing
efforts to complete a national health IT strategy. However, while
these efforts are good building blocks on which progress has been
made, important work remains, including assessing how variations
in State laws affect health information exchange, acting on the privacy and security contractors findings and advisory group recommendations, and identifying and implementing privacy and security standards.
Moreover, how and when HHS plans to integrate the outcomes
of these initiatives is unclear; thus, we have recommended that
HHS develop an overall privacy approach that identifies milestones
in an accountable entity for integrating the outcomes of its health
IT contracts and advisory group recommendations, ensures that
key privacy principles are fully addresses, and addresses key challenges associated with legal and policy issues and the disclosure,
access to, and security of information.
In recent discussions with us, the National Coordinator committed to developing a plan that would accomplish these objectives. In
this regard, he announced last weekend an initiative to build consensus around a harmonized set of privacy and security principles
which are to serve as a framework for addressing these important
issues.
Overall, Mr. Chairman, the National Coordinators intent to act
on such an approach is promising, and building a framework based
on fair information principles is a good starting point for moving
forward; however, achieving this goal to safeguard personal health
information will be difficult and plagued with challenges and will
necessitate sustained leadership from HHS to realize success.
This concludes our prepared statement. We would be pleased to
respond to any questions that you may have.
[The prepared statement of Ms. Melvin follows:]
VerDate 11-MAY-2000
14:45 Jan 14, 2008
Jkt 000000
PO 00000
Frm 00011
Fmt 6633
Sfmt 6633
C:\DOCS\39023.TXT
HGOVREF1
PsN: HGOVREF1
VerDate 11-MAY-2000
14:45 Jan 14, 2008
Jkt 000000
PO 00000
Frm 00012
Fmt 6633
Sfmt 6633
C:\DOCS\39023.TXT
HGOVREF1
PsN: HGOVREF1
VerDate 11-MAY-2000
14:45 Jan 14, 2008
Jkt 000000
PO 00000
Frm 00013
Fmt 6633
Sfmt 6633
C:\DOCS\39023.TXT
HGOVREF1
PsN: HGOVREF1
10
VerDate 11-MAY-2000
14:45 Jan 14, 2008
Jkt 000000
PO 00000
Frm 00014
Fmt 6633
Sfmt 6633
C:\DOCS\39023.TXT
HGOVREF1
PsN: HGOVREF1
11
VerDate 11-MAY-2000
14:45 Jan 14, 2008
Jkt 000000
PO 00000
Frm 00015
Fmt 6633
Sfmt 6633
C:\DOCS\39023.TXT
HGOVREF1
PsN: HGOVREF1
12
VerDate 11-MAY-2000
14:45 Jan 14, 2008
Jkt 000000
PO 00000
Frm 00016
Fmt 6633
Sfmt 6633
C:\DOCS\39023.TXT
HGOVREF1
PsN: HGOVREF1
13
VerDate 11-MAY-2000
14:45 Jan 14, 2008
Jkt 000000
PO 00000
Frm 00017
Fmt 6633
Sfmt 6633
C:\DOCS\39023.TXT
HGOVREF1
PsN: HGOVREF1
14
VerDate 11-MAY-2000
14:45 Jan 14, 2008
Jkt 000000
PO 00000
Frm 00018
Fmt 6633
Sfmt 6633
C:\DOCS\39023.TXT
HGOVREF1
PsN: HGOVREF1
15
VerDate 11-MAY-2000
14:45 Jan 14, 2008
Jkt 000000
PO 00000
Frm 00019
Fmt 6633
Sfmt 6633
C:\DOCS\39023.TXT
HGOVREF1
PsN: HGOVREF1
16
VerDate 11-MAY-2000
14:45 Jan 14, 2008
Jkt 000000
PO 00000
Frm 00020
Fmt 6633
Sfmt 6633
C:\DOCS\39023.TXT
HGOVREF1
PsN: HGOVREF1
17
VerDate 11-MAY-2000
14:45 Jan 14, 2008
Jkt 000000
PO 00000
Frm 00021
Fmt 6633
Sfmt 6633
C:\DOCS\39023.TXT
HGOVREF1
PsN: HGOVREF1
18
VerDate 11-MAY-2000
14:45 Jan 14, 2008
Jkt 000000
PO 00000
Frm 00022
Fmt 6633
Sfmt 6633
C:\DOCS\39023.TXT
HGOVREF1
PsN: HGOVREF1
19
VerDate 11-MAY-2000
14:45 Jan 14, 2008
Jkt 000000
PO 00000
Frm 00023
Fmt 6633
Sfmt 6633
C:\DOCS\39023.TXT
HGOVREF1
PsN: HGOVREF1
20
VerDate 11-MAY-2000
14:45 Jan 14, 2008
Jkt 000000
PO 00000
Frm 00024
Fmt 6633
Sfmt 6633
C:\DOCS\39023.TXT
HGOVREF1
PsN: HGOVREF1
21
VerDate 11-MAY-2000
14:45 Jan 14, 2008
Jkt 000000
PO 00000
Frm 00025
Fmt 6633
Sfmt 6633
C:\DOCS\39023.TXT
HGOVREF1
PsN: HGOVREF1
22
VerDate 11-MAY-2000
14:45 Jan 14, 2008
Jkt 000000
PO 00000
Frm 00026
Fmt 6633
Sfmt 6633
C:\DOCS\39023.TXT
HGOVREF1
PsN: HGOVREF1
23
VerDate 11-MAY-2000
14:45 Jan 14, 2008
Jkt 000000
PO 00000
Frm 00027
Fmt 6633
Sfmt 6633
C:\DOCS\39023.TXT
HGOVREF1
PsN: HGOVREF1
24
VerDate 11-MAY-2000
14:45 Jan 14, 2008
Jkt 000000
PO 00000
Frm 00028
Fmt 6633
Sfmt 6633
C:\DOCS\39023.TXT
HGOVREF1
PsN: HGOVREF1
25
VerDate 11-MAY-2000
14:45 Jan 14, 2008
Jkt 000000
PO 00000
Frm 00029
Fmt 6633
Sfmt 6633
C:\DOCS\39023.TXT
HGOVREF1
PsN: HGOVREF1
26
VerDate 11-MAY-2000
14:45 Jan 14, 2008
Jkt 000000
PO 00000
Frm 00030
Fmt 6633
Sfmt 6633
C:\DOCS\39023.TXT
HGOVREF1
PsN: HGOVREF1
27
VerDate 11-MAY-2000
14:45 Jan 14, 2008
Jkt 000000
PO 00000
Frm 00031
Fmt 6633
Sfmt 6633
C:\DOCS\39023.TXT
HGOVREF1
PsN: HGOVREF1
28
VerDate 11-MAY-2000
14:45 Jan 14, 2008
Jkt 000000
PO 00000
Frm 00032
Fmt 6633
Sfmt 6633
C:\DOCS\39023.TXT
HGOVREF1
PsN: HGOVREF1
29
VerDate 11-MAY-2000
14:45 Jan 14, 2008
Jkt 000000
PO 00000
Frm 00033
Fmt 6633
Sfmt 6633
C:\DOCS\39023.TXT
HGOVREF1
PsN: HGOVREF1
30
Mr. CLAY. Thank you so much, Ms. Melvin.
According to their written testimony, HHS states that it has invested significant resources and efforts in our nationwide strategy
for protecting health information. Our national health IT agenda
approaches our privacy and security through a full suite of activities both in form of current work and preparing for future needs.
Specifically, HHS mentions authorizing a review of 34 States and
Puerto Rico to analyze how their laws are affecting the sharing of
health information. Yet, GAOs January 2007 report cites HHS
lack of an overall strategic plan for integrating its privacy initiative
into a health information network. The report also concludes that
HHS lacks appropriate milestones to measure its progress to meet
these requirements.
With that in mind, I would like to ask the following question: can
you explain how HHS is addressing the legal barriers associated
with variances in State privacy laws and methods to limit the types
of information disclosed through a nationwide exchange? And is it
true that HHS disagrees with GAOs recommendation to establish
milestones to measure progress and outcomes in the development
of privacy protections for a network? If so, why?
Ms. MELVIN. When our report was issued, our concern was that
HHS did not have, as you said, an integrated plan that would allow
all the various initiatives that it has undertaken to be integrated
and to be guided by milestones and measure its progress, and also
from the standpoint of having a leader to make sure that there
would be complete integration of the various initiatives to guide the
overall effort.
There are other factors related to the variations in the State
agencies. They do, in fact, have contracts in place that are intended
to assess those, as you have mentioned, and those types of initiatives are all the ones that we believe have to be guided and driven
by an overall integrated plan that has a well-defined approach to
bringing together the specific initiatives, to being able to look at all
of the findings and the assessments that are being made, and to
develop and implement solutions as a result of what their assessments have determined.
Mr. CLAY. Well, can you identify for us the entity or entities
within HHS that will be responsible for coordinating and implementing its privacy initiatives? Who will promulgate the regulations and oversight activities for privacy within the network? Is
this entity effectively staffed and capable of managing its responsibilities?
Ms. MELVIN. One of the key areas or pieces of information that
we believe is missing is the identification of the critical entity that
would be responsible for bringing together all of the initiatives, as
you have noted, so we cannot identify at this time who that would
be. We do understand, through our recent discussions with Dr.
Kolodner, that the agency is taking steps through the National Coordinators Office to implement a framework; however, how that
framework will be put in place and who will actually guide and
lead their efforts to accomplish that has not been specified and we
have no information that we could share regarding its
Mr. CLAY. They dont know yet? I mean, you gave them that report in January of this year.
VerDate 11-MAY-2000
14:45 Jan 14, 2008
Jkt 000000
PO 00000
Frm 00034
Fmt 6633
Sfmt 6633
C:\DOCS\39023.TXT
HGOVREF1
PsN: HGOVREF1
31
Ms. MELVIN. Yes.
Mr. CLAY. And they have not moved on the recommendations is
what you are telling me?
Ms. MELVIN. As of last week when we spoke with Dr. Kolodner
their efforts were in the early stages and there was no specific information provided to us relative to who the entity would be that
would lead all of those efforts.
I should note that when our report was issued the National Coordinators Office did have a difference relative to how they should
proceed with a coordinated approach, so it has only been in recent
times that we have now, I think, reached more agreement with
them relative to the importance of having a plan in place, an approach that would, in fact, include and identify a specific leader for
integrating or overseeing the integration of the various initiatives.
Mr. CLAY. Thank you for that. And this is a question for either
one of you. One of HIPAAs limitations is that it does not cover all
entities that possess or utilize personal health information. Some
life insurers and research entities that are not involved with the
treatment of patients fall outside the rules. Have you examined the
practical impact of not covering some entities that have access to
personal health information? Is this a significant problem, in your
view, Ms. Koontz?
Ms. KOONTZ. I think that is a significant issue that deserves
more study, and we would like to see HHS consider that as it
moves forward in developing privacy policies, practices, and standards. It is true that HIPAA covers health plans, health providers
who transmit electronic information in support of transactions, and
health information clearinghouses. The entities that you mentioned
are outside the coverage of HIPAA. I think that, naturally, as we
move to a national health information network in which it will be
much easier, and it is actually intended to make information flow
more easily, this is something that we should pay a lot more attention to. Again, I do hope that HHS includes this in their deliberations as they move forward.
Mr. CLAY. OK. Thank you for your response.
Let me now turn to my ranking member, Mr. Turner.
You may proceed.
Mr. TURNER. Thank you.
Thank you for the information you have provided to us in your
testimony today. This is an important issue on pretty much three
fronts. We have our desire to find cost savings and reduce the spiraling increases in health care costs. The second issue is quality of
health care. What can we do to increase the quality of health care?
And the third issue is: how do you balance privacy?
So many times when we make an advance in one area privacy
either takes a hit, or when we think we are taking an advance in
privacy others take a hit.
I will tell you one funny story. Two years ago when I was in
Washington I broke my sunglasses. I called my wife at home and
said, can you go and get me some new sunglasses. I have a prescription. She goes to the eyeglass place and they wouldnt let her
buy eyeglasses because they said under HIPAA there is a fear that
she would discover what my prescription is. You know, that is not
exactly something that I have a concern about having a privacy ex-
VerDate 11-MAY-2000
14:45 Jan 14, 2008
Jkt 000000
PO 00000
Frm 00035
Fmt 6633
Sfmt 6633
C:\DOCS\39023.TXT
HGOVREF1
PsN: HGOVREF1
32
pectation. But, nevertheless, that was the application. We had to
wait until I returned back home until I could get them.
So this is a fine balance of what things do we have an expectation of privacy, and what things are important for efficiency, and
what things do we have for cost savings, and many times there are
unintended consequencesyou know, I cant get my sunglasses unless I am back homethat are overlooked. What confidence do you
have, in describing the process that we are undertaking, that the
Federal Government is going to be able to have a better record in
ascertaining that yes, we really need to protect peoples privacy,
yes, we need to find cost savings, and we need to find efficiencies
to increase quality of health care? What are your thoughts?
Ms. MELVIN. Again, I think the confidence will grow from the extent to which there is transparency in the way that the health information network is put together and the way that privacy is conveyed to and understood by the public.
Our work has emphasized the need for the National Coordinators Office and HHS to spend significant time in making sure that
there is outreach and consensus to bring together a better understanding among all participants that would be involved in the overall health initiative.
You are right, there is an extremely fine balance between the
privacy issues and the need to ensure quality care, the need to try
to have improvements in the way that information is made available about care, and all of that comes through, again, having a defined plan for how they will do that, as well as having necessary
outreach, necessary information made available to educate the public on the need for and the use of electronic health records so that
certainly at some point hopefully there would be buy-in, more buyin to make this a more successful effort.
So I think overall success will depend on how well they can really communicate and convey the need for and ultimately to implement a system that does balance privacy and security with the
quality of the care that is being provided.
Mr. TURNER. One of the issues that has been identified is the
cost savings that we expect from going to electronic recordkeeping,
and the implementation of technology on this issue is that we dont
really know what our cost savings would be, and we are not capturing in a very effective way how this might advance us in cost. Do
you agree with that? And also, do you have thoughts as to what
we could be doing better to understand really what will we be able
to effect in cost savings in this?
Ms. MELVIN. I think clearly the cost savings is an issue. The
overall cost of the initiative is an issue that would have to be defined based on what technology is ultimately determined to be
needed and put in place for this, again largely driven by the privacy and policy security implications that would drive the technology that would need to be put in place.
Then ultimately, as a part of the overall strategy and the defined
approach that the agency would need to have, a key part of that
is defining what the costs are, what the outcomes that result from
that are in the way of benefits and savings. I think all of those aspects collectively are going to be important in defining what the actual cost is ultimately for the overall initiative.
VerDate 11-MAY-2000
14:45 Jan 14, 2008
Jkt 000000
PO 00000
Frm 00036
Fmt 6633
Sfmt 6633
C:\DOCS\39023.TXT
HGOVREF1
PsN: HGOVREF1
33
Mr. TURNER. Thank you, Mr. Chairman.
Mr. CLAY. Thank you, Mr. Turner.
We have been joined by our colleague from New Hampshire, Mr.
Hodes.
I understand you have an opening statement. You may proceed
with that and then go into your questions.
Mr. HODES. Thank you, Mr. Chairman.
Mr. CLAY. You have ample time. You are welcome.
Mr. HODES. This is a very important hearing. The privacy concerns related to health information technology in the digital age
take on an increasingly important role as we examine a health care
system which many people feel is a system which is dysfunctional
and not operating as it should, and many are looking to electronic
medical records technology as a key component to making our
health care system a better-functioning system.
It seems that it is fairly obvious, at least to me, that there are
great benefits in increased coordination of care from effective and
appropriately constructed medical records technology systems, because instead of having people carrying around paper records and
sacks of pills from one doctor to another and having the second doctor trying to figure out what it is that patient is on, we can quickly
and easily, with medical records technology, determine what care
that patient has had.
On the other hand, medical records technology presents great
risks to patient security and private information. We have recently
seen in the Veterans Administration, which frankly is in the forefront of developing electronic medical records technology, when a
single laptop is lost there is enormous amounts of personal data
that is compromised. So coming up with the right construct and the
right system is clearly very important, and it is, I think, an urgent
matter for us because there are a number of initiatives, both in the
private sector and in Government, that are taking us down the
road, but it sounds from your testimony and the report that there
is still a very, very long way to go in coming up with an appropriate national system.
[The prepared statement of Hon. Paul W. Hodes follows:]
VerDate 11-MAY-2000
14:45 Jan 14, 2008
Jkt 000000
PO 00000
Frm 00037
Fmt 6633
Sfmt 6633
C:\DOCS\39023.TXT
HGOVREF1
PsN: HGOVREF1
34
VerDate 11-MAY-2000
14:45 Jan 14, 2008
Jkt 000000
PO 00000
Frm 00038
Fmt 6633
Sfmt 6633
C:\DOCS\39023.TXT
HGOVREF1
PsN: HGOVREF1
35
VerDate 11-MAY-2000
14:45 Jan 14, 2008
Jkt 000000
PO 00000
Frm 00039
Fmt 6633
Sfmt 6633
C:\DOCS\39023.TXT
HGOVREF1
PsN: HGOVREF1
36
Mr. HODES. One question, Ms. Melvin, that I had raised by your
testimony that I would just like you to clarify for me, if you could,
would beand I may not have all the terms rightbut you mentioned that the National Coordinators Office at HHS, I believe, had
a difference about a national coordinated approach when your report was initially sent over?
Ms. MELVIN. We had originally recommended that they develop
a defined approach that would, in fact, allow them to integrate the
various initiatives, that would establish milestones and timeframes
for the completion of initiatives, obviously considering that there
were multiple activities going on, and that would, in fact, designate
a leader, identify a leader who would lead the overall coordination,
an entity that would lead the overall coordination of all of the various initiatives being put in place.
I believe that in this case in their comments HHS essentially believed that they did have a comprehensive approach. We had a difference relative to the construct of that approach and whether, in
fact, it contained all of the necessary or recognized all of the necessary components in the way of having a designated leader, in the
way of having established milestones, and potentially measures for
being able to really gauge progress and to guide the overall effort.
Mr. HODES. And I gather there were some discussions that took
place?
Ms. MELVIN. We have subsequently met with Dr. Kolodner, actually within the last week. We have talked more about what our
concerns were relative to the lack of such a defined approach, and
in talking with him and through information that we have seen
since our discussions, there is an indication that he is in agreement
with the need for having an approach, some type of road map that
would, in fact, provide more detail than defined milestones for integrating the various initiatives that are underway.
Mr. HODES. There is no disagreement between you and Dr.
Kolodner that the coordinator of any national health information
technology system would be situated at HHS, is there?
Ms. MELVIN. We have not talked specifically about what entity
would be the leader to integrate this. Our discussions were at a
level relative to the importance, the significance overall of developing an approach. We have not described what that approach would
be. We do feel it is important, however, that approach does, in fact,
define those critical elements relative to timeframes and milestones, measures of performance, and also in terms of actually
identifying the entity that would lead it, but we have not talked
about specifically who that entity would be.
Mr. HODES. You are just trying to get to square one with HHS
and have them recognize that there needs to be a coordinated approach with time lines and benchmarks and setting out a plan to
put together the initiatives that have already been begun into some
comprehensive plan that we can all look at and then talk about?
Ms. MELVIN. That is absolutely correct, sir.
Mr. HODES. I am just about finished, Mr. Chairman.
When you say that Dr. Kolodner has indicated his agreement, is
that verbally? Is that in writing? How has that agreement been indicated?
VerDate 11-MAY-2000
14:45 Jan 14, 2008
Jkt 000000
PO 00000
Frm 00040
Fmt 6633
Sfmt 6633
C:\DOCS\39023.TXT
HGOVREF1
PsN: HGOVREF1
37
Ms. MELVIN. Our discussions have been held through a meeting
with Dr. Kolodner relative to what actions they were taking, but,
as I stated earlier, we have not discussed the specifics of what that
planned approach would look like ultimately. It is our hope, and we
do view, you know, the fact that at this point he does agree with
the need for that as very promising, but, as our statement indicates, it is a very difficult task. It is a long road. It does involve
a lot of initiatives, and it will take sustained and committed effort
on HHS part to make sure that happens.
Mr. HODES. What is your timeframe for getting some sort of concrete response beyond the verbal discussions you have had from Dr.
Kolodner and HHS that would clearly indicate, something we could
look at, that says HHS agrees that we are going down this road
and here is how we are going to get there? Are we talking a week?
A month? Two months?
Ms. MELVIN. We have not specified a specific timeframe. Obviously, based on our recommendation, we do feel it is very important that this effort be undertaken urgently. It is very critical from
the standpoint of the many initiatives that HHS and the National
Coordinators Office does have underway that lead to the development of technology, the significant point being that you want security and privacy policies to be in place to really guide and be a factor in determining what technology is there. So it is an urgent effort, but not one that we put a definite timeframe on for seeing
that it happens.
Mr. HODES. Thank you very much.
Thank you, Mr. Chairman.
Mr. CLAY. Thank you, Mr. Hodes, for that line of questioning.
This question is for either/or. I would like to hear your thoughts
on HHS enforcement policies, practices, and procedures. There has
been significant criticism of the agencys enforcement of HIPAA
and lack of civil penalties enforced on identified violations. Are the
enforcement activities of HHS being carried out in accordance with
the statute and the legislation and regulations? Are the current
regulations adequate to ensure that violating entities are being
sanctioned appropriately?
Ms. KOONTZ. I have to say, first of all, that we have not studied
HHS enforcement actions; however, I think it has been widely reported that there have been few enforcement actions on their part.
The way HIPAA is set up right now is that if an individual has
a complaint they can go to HHS, the Office of Civil Rights, and
complain about privacy violations. I think that this, again, is another issue for us moving forward. Under HIPAA, for example,
there is no individual right of action. If someone isnt satisfied with
what happens at HHS, they cannot go to the courts for resolution.
I think this is an issue that, you know, we will need to look at over
time, but we havent studied it in depth.
Mr. CLAY. One IT-specific recommendation offered by the National Council of Vital Health Statistics was for HHS to support research and development of contextual access criteria that is appropriate for the dissemination and sharing of electronic health information. Do you know whether HHS is addressing this issue and,
if not, why not? And does GAO concur with the findings and rec-
VerDate 11-MAY-2000
14:45 Jan 14, 2008
Jkt 000000
PO 00000
Frm 00041
Fmt 6633
Sfmt 6633
C:\DOCS\39023.TXT
HGOVREF1
PsN: HGOVREF1
38
ommendations of the National Committee on Vital Health Statistics?
Ms. KOONTZ. First of all, in terms of the contextual information,
I think that is quite an exciting idea, because if you look at paper
records right now, if you have to disclose a paper record I think
that the default is to perhaps disclose the whole piece of paper. The
idea of this contextual access would be that when you disclosed information you would use technology in such a way that you could
disclose only the information that was actually needed, so it would
be a way to really leverage technology to increase privacy for patients and consumers. So the National Committee on Vital and
Health Statistics did recommend that HHS look at this more fully
in the process, and we support that.
I think one of the things that, as they move forward on a comprehensive strategy for addressing privacy, they need to take into
consideration the results of all these different contracts and initiatives that they have going on, which seem to have a lot of merit.
They need to take into consideration the recommendations of
NVCHS, and they need to take into consideration some of the challenges that I think we raised in our report.
Mr. CLAY. Thank you for that response.
When multiple States with conflicting laws have personal health
information concerning the same patient, which States privacy
standard will apply, and under what circumstances? How can entities in one State appropriately manage patient data within their
electronic patient records if they are unaware of applicable restrictions in another State?
Ms. KOONTZ. Well, the issue about HIPAA is that HIPAA is
meant to be a floor in terms of privacy protection, so that means
it does not preempt a State law that provides greater privacy protections than the Federal law. But you are right: what it leads to
is very much a patchwork of different kinds of laws in varying
States, and when you go to electronic health records and you go to
a national health information network, again, the information is to
move. It can move much more freely than it does now in a paper
environment.
One of the challenges, when we were doing our study, that many
organizations talked to us about is operationalizing these various
requirements and being able to navigate in an environment where
information is created in one State, it is sent to another, it is sent
yet to another, and how to really navigate in that kind of environment has caused a complexity which may indicate some need
maybe for greater guidance in terms of how to navigate this. And
some people have suggested, of course, that there be some kind of
national standard for privacy that is consistent across the States.
We havent studied that further, but that has been an issue that
has often been raised.
Mr. CLAY. Good. Thank you very much.
Mr. Turner.
We want to note that Government Health IT reported on June
15, 2007, that Dr. Kolodner, National Coordinator of Health Information and Technology, has revealed that his office will propose a
draft framework for privacy policy later this year. Kolodner said it
VerDate 11-MAY-2000
14:45 Jan 14, 2008
Jkt 000000
PO 00000
Frm 00042
Fmt 6633
Sfmt 6633
C:\DOCS\39023.TXT
HGOVREF1
PsN: HGOVREF1
39
will reference other privacy policy documents from organizations
such as Connecting for Health, the National Committee on Vital
and Health Statistics, and the Organization for Economic Cooperation and Development. I look forward to seeing that so we can all
have an opportunity to review it and determine its effectiveness.
I am going to ask if you could talk for a momentand you may
not be able tobut the VAs experience during Katrina, we have
all heard news reports about how the VA was able to transfer large
numbers of patients records far more quickly than private hospitals. Are you familiar with the VAs experience and their system?
Could you comment on that?
Ms. MELVIN. I am not familiar with that particular experience,
but what I can tell you is that VA does have a comprehensive longitudinal electronic health record for its patients, which would explain its ability to make information available for those people who
were affected by Hurricane Katrina. Its system is set up so that it
contains a complete record of each patient that is captured within
its system, so that would explain its ability to perhaps have records
available more readily certainly than other entities that do not
have such a capability at this point.
Mr. TURNER. Are you familiar with either their experience of cost
savings or efficiencies in increasing medical care and/or privacy
issues and policies?
Ms. MELVIN. I dont have specific information on their cost savings. I can tell you, though, that they have a very impressive system in place that has allowed them to achieve many improvements
in quality of care through the clinicians ability to have ready access to information, through their ability to actually use that information in the health care of patients at this point.
Mr. TURNER. Thank you very much.
Ms. MELVIN. You are very welcome.
Mr. CLAY. Thank you, Mr. Turner.
Mr. Hodes, any more?
Mr. HODES. Just one more briefly.
Mr. CLAY. Please proceed.
Mr. Hodes. Thank you, Mr. Chairman.
I would like to followup just a little bit on the question about
varying State standards, because I note at page, I think it looks
like 15 of your report, where you talk about the challenges to exchanging electronic health information and the area of understanding and resolving legal and policy issues, and the first bullet point
you talk about is resolving uncertainties regarding the extent of
Federal privacy protection, and it leads me to the question of how
quickly we can go to a national information system with so many
differing standards out there among the States.
Could you tell us what do you think the benefits would be to establishing a Federal standard in these areas, even if it meant hypothetically preempting the States?
Ms. KOONTZ. Well, it is obviously a policy judgment that you are
probably in a much better position to make than I, but
Mr. HODES. That is why I asked the question.
Ms. KOONTZ. Fair enough. But, I mean, the obvious advantage
here is that we would be trading off some, getting rid of some com-
VerDate 11-MAY-2000
14:45 Jan 14, 2008
Jkt 000000
PO 00000
Frm 00043
Fmt 6633
Sfmt 6633
C:\DOCS\39023.TXT
HGOVREF1
PsN: HGOVREF1
40
plexity in order to, you know, if we got some standardization. Obviously, from talking to a fairly large number of entities out there
who are involved in information exchange and involved in providing health care, it is tremendously confusing, even to the point of
trying to decide what rules apply, what category do they fit in, and
then also how to operationalize all the different kinds of requirements, as well. So, I mean, I can see on balance it is on the one
hand and on the other hand, but there are definitely benefits to
standardization, as well, although there may be States where you
might end up lowering privacy protection, and I think that is an
issue for that locality.
Mr. HODES. OK. Thank you very much.
Thank you, Mr. Chairman. I yield back.
Mr. CLAY. Thank you, Mr. Hodes.
The AHIC, which is a public/private working group chaired by
the Secretary, assembled a working group on how to address privacy and confidentiality issues last August. What findings, if any,
have been presented to the Secretary? Is AHICs work consistent
with GAOs findings and recommendations? Are you familiar with
AHIC, the American Health Information Community?
Ms. MELVIN. Yes, we are familiar with that. As far as their findings and recommendations, at this point we are not certain as to
exactly what they are doing. We do know that HHS is in the process of assessing the information that they have from them, and we
have not compared that to GAOs recommendations, as I recall.
Mr. CLAY. OK.
Ms. MELVIN. We have not compared them to GAOs recommendations.
Mr. CLAY. All right. I thank you for that.
Let me thank both of you for your answers today and for being
witnesses at this hearing. I think it is such an important issue, and
we certainly appreciate GAO weighing in. Thank you both. This
panel is dismissed.
I would now like to invite our second panel of witnesses to come
forward, please.
Testifying today on our second panel will be Mary R. Grealy,
president of the Healthcare Leadership Council. Welcome to you.
Bryan Pickard, president of the American Health Information
Management Association. Thank you for being here.
Peter P. Swire, the C. William ONeill professor of law at the
Ohio State Universitys Moritz College of Law and senior fellow at
the Center for American Progress.
Welcome to all of you.
It is the policy of the committee to swear in all witnesses before
they testify. At this time I would like to ask you all to stand and
raise your right hands.
[Witnesses sworn.]
Mr. CLAY. Let the record show that all of the witnesses answered
in the affirmative.
Each of you will have 5 minutes to make an opening statement.
Your complete written testimony will be included in the hearing
record. The yellow light in front of you will indicate you have 1
minute remaining. The red light will indicate that your time has
expired.
VerDate 11-MAY-2000
14:45 Jan 14, 2008
Jkt 000000
PO 00000
Frm 00044
Fmt 6633
Sfmt 6633
C:\DOCS\39023.TXT
HGOVREF1
PsN: HGOVREF1
41
Ms. Grealy, we will begin with you. You may proceed.
STATEMENTS OF MARY R. GREALY, PRESIDENT, HEALTHCARE
LEADERSHIP COUNCIL; BYRON PICKARD, PRESIDENT,
AMERICAN HEALTH INFORMATION MANAGEMENT ASSOCIATION; AND PETER SWIRE, SENIOR FELLOW, CENTER FOR
AMERICAN PROGRESS
STATEMENT OF MARY R. GREALY
Ms. GREALY. Thank you, Mr. Chairman and members of the subcommittee. On behalf of the members of the Healthcare Leadership
Council, I want to thank you for the opportunity to testify on this
extremely important subject.
Certainly all Americans want to be assured, as we move toward
a day when virtually all clinical health information will be exchanged electronically, that their confidentiality will be protected
and information will be used to provide health care of the highest
quality.
The Healthcare Leadership Council is comprised of chief executives of many of the Nations leading health care companies and organizations representing all sectors of American health care. Our
members are some of the early adopters of health information technology.
Mr. Chairman, with my time limitations there are two key points
that I would like to make today. First, allow me to comment on the
current HIPAA privacy rule, a rule that was developed through
careful, detailed deliberations over a 5-year period, and its effectiveness in the context of electronic health information exchange.
We are concerned that the transition to more widespread use of
electronic medical records will prompt a reactive call in some quarters for additional burdensome privacy regulations. It is important
to note that the HIPAA privacy rule, which is already quite restrictive, was spurred by the growth of electronic transactions and already contains ample provisions governing the confidentiality of information, electronic or otherwise. It is even more important to recognize that more-restrictive rules, such as requiring providers and
payers to obtain prior consent for treatment, payment, and health
care operations, would delay and disrupt health care, particularly
for the most vulnerable patients.
The fact is, Mr. Chairman, the HIPAA privacy rule has a successful track record, and that success is being achieved in an environment in which multi-State electronic data exchange is already
occurring.
Health care providers and plans have spent significant resources
to comply with the HIPAA rule. Before considering any changes,
we should be certain that they are absolutely essential and would
warrant diverting finite resources from patient care to additional
administrative compliance.
The other point I wish to make this afternoon is that, while the
HIPAA privacy rule is effective in protecting patient confidentiality, the development of a multi-State network requires the creation
of a uniform Federal privacy standard. While HIPAA establishes
such a standard, it permits State variations that are found in thousands of statutes, regulations, common law principles, and
VerDate 11-MAY-2000
14:45 Jan 14, 2008
Jkt 000000
PO 00000
Frm 00045
Fmt 6633
Sfmt 6633
C:\DOCS\39023.TXT
HGOVREF1
PsN: HGOVREF1
42
advisories. This patchwork quilt creates confusion among those
who hold identifiable health information and those who seek to establish these data exchanges.
We believe strongly in a national standard that provides strong
privacy protections for every American and facilitates nationwide
and system-wide electronic data exchange for the betterment of patient care.
Mr. Chairman, Section 6 of your bill, H.R. 4832, laid out a process to help achieve that national standard, and we hope that it will
find its way and be part of any future HIT legislation.
One thing that helps us put a face on health care policy and to
put it in perspective is that these issues unavoidably become personal for all of us. My family currently has a compelling example
in the person of my 88 year old father, who lives in Fort Lauderdale, FL. Just a few months ago, after a brief hospital stay for
acute kidney failure, he began a regimen of dialysis three times a
week. At the same time, he was receiving radiation treatment for
prostate cancer.
I can tell you firsthand that the staffs in the hospital, the radiation center, the dialysis center, and the various physician offices
are fully complying with the HIPAA privacy rules, oftentimes making it difficult for me and my five brothers and sisters to help coordinate his care. Be assured that health professionals take the
rules very seriously.
More importantly, however, I am also experiencing firsthand the
absolutely critical need for a unified electronic health record so that
my Dads oncologist, nephrologist, internist, cardiologist, nutritionist, radiation center, and dialysis center would all know in real
time what each is prescribing and, more importantly, how he is
doing. For example, sharing the results of lab tests, sharing the
prescriptions that they are ordering.
An electronic health record would have avoided my Dads recent
experience of receiving Procrit from his oncologist while he was receiving a similar medication, Epigen, at the dialysis center. Unfortunately, it fell to us to alert and notify those two health providers,
because they were not sharing this information.
You can see the importance of having this electronic health
record. Americas patients, not just my Dad, need electronic health
record, and I applaud the efforts that you, Mr. Chairman, and others have put toward achieving that goal.
We look forward to working with you, finding the appropriate
balance between privacy and the need for sharing this important
information as we move forward in this important area.
Thank you.
[The prepared statement of Ms. Grealy follows:]
VerDate 11-MAY-2000
14:45 Jan 14, 2008
Jkt 000000
PO 00000
Frm 00046
Fmt 6633
Sfmt 6633
C:\DOCS\39023.TXT
HGOVREF1
PsN: HGOVREF1
43
VerDate 11-MAY-2000
14:45 Jan 14, 2008
Jkt 000000
PO 00000
Frm 00047
Fmt 6633
Sfmt 6633
C:\DOCS\39023.TXT
HGOVREF1
PsN: HGOVREF1
44
VerDate 11-MAY-2000
14:45 Jan 14, 2008
Jkt 000000
PO 00000
Frm 00048
Fmt 6633
Sfmt 6633
C:\DOCS\39023.TXT
HGOVREF1
PsN: HGOVREF1
45
VerDate 11-MAY-2000
14:45 Jan 14, 2008
Jkt 000000
PO 00000
Frm 00049
Fmt 6633
Sfmt 6633
C:\DOCS\39023.TXT
HGOVREF1
PsN: HGOVREF1
46
VerDate 11-MAY-2000
14:45 Jan 14, 2008
Jkt 000000
PO 00000
Frm 00050
Fmt 6633
Sfmt 6633
C:\DOCS\39023.TXT
HGOVREF1
PsN: HGOVREF1
47
VerDate 11-MAY-2000
14:45 Jan 14, 2008
Jkt 000000
PO 00000
Frm 00051
Fmt 6633
Sfmt 6633
C:\DOCS\39023.TXT
HGOVREF1
PsN: HGOVREF1
48
VerDate 11-MAY-2000
14:45 Jan 14, 2008
Jkt 000000
PO 00000
Frm 00052
Fmt 6633
Sfmt 6633
C:\DOCS\39023.TXT
HGOVREF1
PsN: HGOVREF1
49
VerDate 11-MAY-2000
14:45 Jan 14, 2008
Jkt 000000
PO 00000
Frm 00053
Fmt 6633
Sfmt 6633
C:\DOCS\39023.TXT
HGOVREF1
PsN: HGOVREF1
50
VerDate 11-MAY-2000
14:45 Jan 14, 2008
Jkt 000000
PO 00000
Frm 00054
Fmt 6633
Sfmt 6633
C:\DOCS\39023.TXT
HGOVREF1
PsN: HGOVREF1
51
VerDate 11-MAY-2000
14:45 Jan 14, 2008
Jkt 000000
PO 00000
Frm 00055
Fmt 6633
Sfmt 6633
C:\DOCS\39023.TXT
HGOVREF1
PsN: HGOVREF1
52
VerDate 11-MAY-2000
14:45 Jan 14, 2008
Jkt 000000
PO 00000
Frm 00056
Fmt 6633
Sfmt 6633
C:\DOCS\39023.TXT
HGOVREF1
PsN: HGOVREF1
53
VerDate 11-MAY-2000
14:45 Jan 14, 2008
Jkt 000000
PO 00000
Frm 00057
Fmt 6633
Sfmt 6633
C:\DOCS\39023.TXT
HGOVREF1
PsN: HGOVREF1
54
VerDate 11-MAY-2000
14:45 Jan 14, 2008
Jkt 000000
PO 00000
Frm 00058
Fmt 6633
Sfmt 6633
C:\DOCS\39023.TXT
HGOVREF1
PsN: HGOVREF1
55
VerDate 11-MAY-2000
14:45 Jan 14, 2008
Jkt 000000
PO 00000
Frm 00059
Fmt 6633
Sfmt 6633
C:\DOCS\39023.TXT
HGOVREF1
PsN: HGOVREF1
56
VerDate 11-MAY-2000
14:45 Jan 14, 2008
Jkt 000000
PO 00000
Frm 00060
Fmt 6633
Sfmt 6633
C:\DOCS\39023.TXT
HGOVREF1
PsN: HGOVREF1
57
VerDate 11-MAY-2000
14:45 Jan 14, 2008
Jkt 000000
PO 00000
Frm 00061
Fmt 6633
Sfmt 6633
C:\DOCS\39023.TXT
HGOVREF1
PsN: HGOVREF1
58
VerDate 11-MAY-2000
14:45 Jan 14, 2008
Jkt 000000
PO 00000
Frm 00062
Fmt 6633
Sfmt 6633
C:\DOCS\39023.TXT
HGOVREF1
PsN: HGOVREF1
59
VerDate 11-MAY-2000
14:45 Jan 14, 2008
Jkt 000000
PO 00000
Frm 00063
Fmt 6633
Sfmt 6633
C:\DOCS\39023.TXT
HGOVREF1
PsN: HGOVREF1
60
VerDate 11-MAY-2000
14:45 Jan 14, 2008
Jkt 000000
PO 00000
Frm 00064
Fmt 6633
Sfmt 6633
C:\DOCS\39023.TXT
HGOVREF1
PsN: HGOVREF1
61
VerDate 11-MAY-2000
14:45 Jan 14, 2008
Jkt 000000
PO 00000
Frm 00065
Fmt 6633
Sfmt 6633
C:\DOCS\39023.TXT
HGOVREF1
PsN: HGOVREF1
62
VerDate 11-MAY-2000
14:45 Jan 14, 2008
Jkt 000000
PO 00000
Frm 00066
Fmt 6633
Sfmt 6633
C:\DOCS\39023.TXT
HGOVREF1
PsN: HGOVREF1
63
Mr. CLAY. Thank you so much, Ms. Grealy, for that testimony.
Mr. Pickard, you may proceed.
STATEMENT OF BYRON PICKARD
Mr. PICKARD. Chairman Clay and members of the subcommittee,

thank you for this opportunity to testify. I will be testifying on behalf of AHIMA, but will also draw upon my professional experiences to describe the public/private efforts currently underway exploring the privacy of electronically transmitted health information.
My written testimony addresses some areas of specific interest to
our profession; namely, expansion of privacy protections for personal health records, differences between HIPAA at business associates and non-covered third-party contractors, and protecting student health information, and conflicts between HIPAA and FERPA.
AHIMA also has a foundation of research and education, which has
received several grants and contracts from the Office of the National Coordinator and others. I have attached a list of those commitments.
Mr. Chairman, the HIM professionals responsibilities are interwoven with privacy and security issues. The expansion of confidentiality management and protection is impacted not only by HIPAA
but also by the health care industrys continued transformation
from a paper intensive industry to one of electronic records and
transmissions.
I wish I could tell you that the health care industry has been
transformed into a fully electronic system, but, in fact, I cannot.
We are in the midst of what would be a long transition.
In working through these transitional issues, AHIMA has
partnered with the American Medical Informatics Association and
we have produced two joint statements relative to todays discussion, one on health information confidentiality, and the other on
the value of personal health records. With so much history and experience in the protection of health information, it is important to
note AHIMAs position. Our written testimony contains our full list
of health information confidentiality principles.
As our health care system becomes more interconnected, our
networked health information will flow across a range of entities
and boundaries. It will be critical to follow these principles. Privacy
protections must follow personal health information [PHI], no matter where it resides, and uniform and universal protections for PHI
should apply across all jurisdictions in order to facilitate consistent
understanding and compliance.
Considerable time has been spent exploring and developing electronic health information exchange and how to protect health information by the Agency for Health Care Research and Quality, a
American health information community, the Office of the National
Coordinator, and others. These initiatives and their impact on privacy and security are detailed in our written testimony.
AHIMA members, and especially those who fill the role of privacy office, are noting that the issue of confidentiality is moving beyond just health care. With the banking and finance industries
handling health information more frequently, it has become apparent that we must soon address the comprehensive protection of an
individuals information, White House whether it is financial or
VerDate 11-MAY-2000
14:45 Jan 14, 2008
Jkt 000000
PO 00000
Frm 00067
Fmt 6633
Sfmt 6633
C:\DOCS\39023.TXT
HGOVREF1
PsN: HGOVREF1
64
health related. This is an issue that Congress will need to investigate as we see more change in the bordering of industry boundaries.
We also see a need for consumer education to address confidentiality and security, as well as the value of health information technology usage. It is only with consumer trust that a national infrastructure can be built and laws adopted or modified to facilitate information exchange.
AHIMA has long called for consumer-based personal health
records, in addition to the standard provider-based electronic
health records. While we have never endorsed a PHR product, we
have called for consumers to use a PHR, whether in paper or electronic form, to track their own health status. To support this goal,
AHIMA embarked upon a PHR consumer education campaign that
combines the use of a consumer Web site with public presentations
by AHIMA members in each and every State.
AHIMA is leading an effort to ensure interoperability of the
PHR, with the new health level seven standard electronic health
record, and we expect to see a new PHR electronic standard from
HL7 in the near future.
AHIMAs believe that protections should follow personal health
information, no matter where it might be stored or transferred,
clearly extends to PHRs. PHRs can be stored or offered by a variety
of different vendors or operators. Some of these vendors are
HIPAA-covered entities, and others are not.
Protections against the discrimination and misuse of PHR information must be established along with a requirement that any access or use of PHR information be governed by a separate authorization unless otherwise required by law. Except for PHRs offered
by health care providers, we believe that individuals should be
given the right to opt out of a PHR being built for them or their
family members.
The answers are not simple. As the AHIC and the NCVHS and
others discuss and provide recommendations in the privacy and security area, Congress can also begin to look at some very important
issues: that confidentiality of protections follow the information no
matter where it resides or is transferred; that comprehensive nondiscrimination laws have harsh penalties for the intentional misuse
of health information; that we prosecute those who break these
laws; that we penalize those entities that are non-compliant with
confidentiality and security laws and regulations; that conflicts between HIPAA versus FERPA be eliminated in favor of consistent
and strong confidentiality; and that proposed laws be reviewed to
identify barriers that may arise that would impede the deployment
of health information technology products, expansion of health information exchange, and critical uses of health information.
Mr. Chairman and members of the subcommittee, I hope that our
testimony has given you an insight into the aspects of health care
confidentiality and security that you are seeking, and that our recommendations will provide you with guidance as you address the
many difficult questions facing our community. I stand ready to answer any further questions or concerns you might have.
Thank you.
[The prepared statement of Mr. Pickard follows:]
VerDate 11-MAY-2000
14:45 Jan 14, 2008
Jkt 000000
PO 00000
Frm 00068
Fmt 6633
Sfmt 6633
C:\DOCS\39023.TXT
HGOVREF1
PsN: HGOVREF1
65
VerDate 11-MAY-2000
14:45 Jan 14, 2008
Jkt 000000
PO 00000
Frm 00069
Fmt 6633
Sfmt 6633
C:\DOCS\39023.TXT
HGOVREF1
PsN: HGOVREF1
66
VerDate 11-MAY-2000
14:45 Jan 14, 2008
Jkt 000000
PO 00000
Frm 00070
Fmt 6633
Sfmt 6633
C:\DOCS\39023.TXT
HGOVREF1
PsN: HGOVREF1
67
VerDate 11-MAY-2000
14:45 Jan 14, 2008
Jkt 000000
PO 00000
Frm 00071
Fmt 6633
Sfmt 6633
C:\DOCS\39023.TXT
HGOVREF1
PsN: HGOVREF1
68
VerDate 11-MAY-2000
14:45 Jan 14, 2008
Jkt 000000
PO 00000
Frm 00072
Fmt 6633
Sfmt 6633
C:\DOCS\39023.TXT
HGOVREF1
PsN: HGOVREF1
69
VerDate 11-MAY-2000
14:45 Jan 14, 2008
Jkt 000000
PO 00000
Frm 00073
Fmt 6633
Sfmt 6633
C:\DOCS\39023.TXT
HGOVREF1
PsN: HGOVREF1
70
VerDate 11-MAY-2000
14:45 Jan 14, 2008
Jkt 000000
PO 00000
Frm 00074
Fmt 6633
Sfmt 6633
C:\DOCS\39023.TXT
HGOVREF1
PsN: HGOVREF1
71
VerDate 11-MAY-2000
14:45 Jan 14, 2008
Jkt 000000
PO 00000
Frm 00075
Fmt 6633
Sfmt 6633
C:\DOCS\39023.TXT
HGOVREF1
PsN: HGOVREF1
72
VerDate 11-MAY-2000
14:45 Jan 14, 2008
Jkt 000000
PO 00000
Frm 00076
Fmt 6633
Sfmt 6633
C:\DOCS\39023.TXT
HGOVREF1
PsN: HGOVREF1
73
VerDate 11-MAY-2000
14:45 Jan 14, 2008
Jkt 000000
PO 00000
Frm 00077
Fmt 6633
Sfmt 6633
C:\DOCS\39023.TXT
HGOVREF1
PsN: HGOVREF1
74
VerDate 11-MAY-2000
14:45 Jan 14, 2008
Jkt 000000
PO 00000
Frm 00078
Fmt 6633
Sfmt 6633
C:\DOCS\39023.TXT
HGOVREF1
PsN: HGOVREF1
75
VerDate 11-MAY-2000
14:45 Jan 14, 2008
Jkt 000000
PO 00000
Frm 00079
Fmt 6633
Sfmt 6633
C:\DOCS\39023.TXT
HGOVREF1
PsN: HGOVREF1
76
VerDate 11-MAY-2000
14:45 Jan 14, 2008
Jkt 000000
PO 00000
Frm 00080
Fmt 6633
Sfmt 6633
C:\DOCS\39023.TXT
HGOVREF1
PsN: HGOVREF1
77
VerDate 11-MAY-2000
14:45 Jan 14, 2008
Jkt 000000
PO 00000
Frm 00081
Fmt 6633
Sfmt 6633
C:\DOCS\39023.TXT
HGOVREF1
PsN: HGOVREF1
78
VerDate 11-MAY-2000
14:45 Jan 14, 2008
Jkt 000000
PO 00000
Frm 00082
Fmt 6633
Sfmt 6633
C:\DOCS\39023.TXT
HGOVREF1
PsN: HGOVREF1
79
VerDate 11-MAY-2000
14:45 Jan 14, 2008
Jkt 000000
PO 00000
Frm 00083
Fmt 6633
Sfmt 6633
C:\DOCS\39023.TXT
HGOVREF1
PsN: HGOVREF1
80
VerDate 11-MAY-2000
14:45 Jan 14, 2008
Jkt 000000
PO 00000
Frm 00084
Fmt 6633
Sfmt 6633
C:\DOCS\39023.TXT
HGOVREF1
PsN: HGOVREF1
81
VerDate 11-MAY-2000
14:45 Jan 14, 2008
Jkt 000000
PO 00000
Frm 00085
Fmt 6633
Sfmt 6633
C:\DOCS\39023.TXT
HGOVREF1
PsN: HGOVREF1
82
VerDate 11-MAY-2000
14:45 Jan 14, 2008
Jkt 000000
PO 00000
Frm 00086
Fmt 6633
Sfmt 6633
C:\DOCS\39023.TXT
HGOVREF1
PsN: HGOVREF1
83
VerDate 11-MAY-2000
14:45 Jan 14, 2008
Jkt 000000
PO 00000
Frm 00087
Fmt 6633
Sfmt 6633
C:\DOCS\39023.TXT
HGOVREF1
PsN: HGOVREF1
84
VerDate 11-MAY-2000
14:45 Jan 14, 2008
Jkt 000000
PO 00000
Frm 00088
Fmt 6633
Sfmt 6633
C:\DOCS\39023.TXT
HGOVREF1
PsN: HGOVREF1
85
VerDate 11-MAY-2000
14:45 Jan 14, 2008
Jkt 000000
PO 00000
Frm 00089
Fmt 6633
Sfmt 6633
C:\DOCS\39023.TXT
HGOVREF1
PsN: HGOVREF1
86
Mr. CLAY. Thank you so much, Mr. Pickard.
Mr. Swire, of the Ohio State University.
STATEMENT OF PETER SWIRE
Mr. SWIRE. The Ohio State University, home of the Buckeyes.

Yes, sir.
Mr. CLAY. Yes, sir.
Mr. SWIRE. Mr. Chairman, members of the subcommittee, thank
you very much for the invitation to testify here today on privacy
and security of electronic health records.
Today fewer than 10 percent of our clinical records in the country
are accessible in electronic form, and all of us hope that number
climbs sharply in the next decade.
My colleague at the Center for American Progress, Karen Davenport, has recently released a new report about health IT and the
quality improvements, and, Mr. Chairman, I ask if that could be
submitted to the record for this hearing.
Mr. CLAY. Yes, please.
Mr. SWIRE. Thank you.
To make this shift to the NHIN, the National Health Information
Network, we need to get privacy and security right. Public surveys
repeatedly showed that these privacy concerns are top of mind
when it comes to the shift to electronic health records. Unless
Americans are convinced that effective safeguards are in place,
many of the benefits of this NHIN may be delayed or lost entirely.
My written statement addresses various issues, but I would highlight two things in the testimony today: preemption and enforcement.
On preemption, my theme is that the wrong sort of preemption
would actually repeal many existing privacy and security safeguards. On enforcement, the current no enforcement system is not
a sound basis for going forward with electronic health records.
Briefly, my background before returning to law teaching, I served
as chief counselor for privacy in the U.S. Office of Management and
Budget in 1999 and 2000, and in that role I was the White House
coordinator for the HIPAA privacy rule. This has lost me many
friends in the medical community.
During that time we had over 50,000 public comments on the
proposed rule, and I co-chaired the process to look at those, try to
respond to them, and come up with a final rule by the end of 2000,
and I have worked in this area since. So it is based on that I try
to offer some observations today.
On preemption, my first theme is that simple preemption of
State laws going to HIPAA alone would repeal many existing privacy protections.
In many States we have protections for things like HIV records,
mental health, substance abuse, reproductive records, Public
Health Agency records, genetic records, and if we simply say lets
do HIPAA, then that means that all of the State protections would
be repealed.
In Ms. Grealys testimony, they feature Indiana as a State to
look to. Indiana has the fewest State safeguards, and so harmonizing on that level would be a drop in privacy protection, and we
should be careful about doing that.
VerDate 11-MAY-2000
14:45 Jan 14, 2008
Jkt 000000
PO 00000
Frm 00090
Fmt 6633
Sfmt 6633
C:\DOCS\39023.TXT
HGOVREF1
PsN: HGOVREF1
87
On enforcement, I have serious concerns about the lack of enforcement from HHS. This is an oversight issue. This creates an
obstacle to going forward with electronic health records. If no enforcements are brought under the current system so far under
HIPAA, why should the public trust we are going to have good enforcement for the next generation?
Let me emphasize my criticism here goes to law and policy and
not to the good faith or the intelligence or hard work of people at
HHS, but there are some legal problems the Congress may need to
address.
There are three principal problems in enforcement:
First, the batting average for HHS is pretty low. There has been
27,000 complaints and zero civil or monetary penalties, so over
27,000. That doesnt create a lot of confidence.
Second, the current administration has adopted the policy of one
free violation. In an enforcement rule last year, HHS said that the
first violation simply wont lead to a penalty; instead, it will lead
to a planned correct going forward. This sends the signal that medical privacy shouldnt be taken seriously. If you are a covered entity, just wait until they come the first time and then you can fix
it, but you dont face any exposure.
Third, the Department of Justice has dropped the ball on criminal prosecution. Justice has received almost 400 referrals from
HHS and has brought zero cases under those 400 referrals. These
are the most serious cases, and the problem is that, once it goes
to DOJ, under current policy HHS stops all proceedings, so the
most serious cases HHS doesnt do it and DOJ doesnt do it.
This lack of enforcement has been the subject of major stories in
the Wall Street Journal and the Washington Post. One expert was
quoted in the post saying, HHS really isnt doing anything, so why
should I worry?
The lack of HIPAA enforcement will make it harder to build the
next generation of electronic health records. Critics will be on
strong and legitimate ground saying they cant trust the current
system, much less the higher level of trust we would want to have
if we go to the all-electronic NHIN.
In my testimony I point out that we can respond to these problems perhaps by HHS changes or by targeted legislation. Here are
three things to consider, and then I will close: first, HHS can end
the one free violation part of the enforcement reg; second, we
should end the current interpretation where HHS stops its own enforcement efforts in the most serious cases whenever there is a
criminal referral to DOJ; and, third, a mistaken Department of
Justice legal opinion that narrowed the criminal provisions of
HIPAA should be revisited. They really take the position that only
the hospital that intentionally violates the law and not any of the
individuals who break the law can be enforced.
That concludes my comments. I welcome any questions you may
have.
[The prepared statement of Mr. Swire follows:]
VerDate 11-MAY-2000
14:45 Jan 14, 2008
Jkt 000000
PO 00000
Frm 00091
Fmt 6633
Sfmt 6633
C:\DOCS\39023.TXT
HGOVREF1
PsN: HGOVREF1
88
VerDate 11-MAY-2000
14:45 Jan 14, 2008
Jkt 000000
PO 00000
Frm 00092
Fmt 6633
Sfmt 6633
C:\DOCS\39023.TXT
HGOVREF1
PsN: HGOVREF1
89
VerDate 11-MAY-2000
14:45 Jan 14, 2008
Jkt 000000
PO 00000
Frm 00093
Fmt 6633
Sfmt 6633
C:\DOCS\39023.TXT
HGOVREF1
PsN: HGOVREF1
90
VerDate 11-MAY-2000
14:45 Jan 14, 2008
Jkt 000000
PO 00000
Frm 00094
Fmt 6633
Sfmt 6633
C:\DOCS\39023.TXT
HGOVREF1
PsN: HGOVREF1
91
VerDate 11-MAY-2000
14:45 Jan 14, 2008
Jkt 000000
PO 00000
Frm 00095
Fmt 6633
Sfmt 6633
C:\DOCS\39023.TXT
HGOVREF1
PsN: HGOVREF1
92
VerDate 11-MAY-2000
14:45 Jan 14, 2008
Jkt 000000
PO 00000
Frm 00096
Fmt 6633
Sfmt 6633
C:\DOCS\39023.TXT
HGOVREF1
PsN: HGOVREF1
93
VerDate 11-MAY-2000
14:45 Jan 14, 2008
Jkt 000000
PO 00000
Frm 00097
Fmt 6633
Sfmt 6633
C:\DOCS\39023.TXT
HGOVREF1
PsN: HGOVREF1
94
VerDate 11-MAY-2000
14:45 Jan 14, 2008
Jkt 000000
PO 00000
Frm 00098
Fmt 6633
Sfmt 6633
C:\DOCS\39023.TXT
HGOVREF1
PsN: HGOVREF1
95
VerDate 11-MAY-2000
14:45 Jan 14, 2008
Jkt 000000
PO 00000
Frm 00099
Fmt 6633
Sfmt 6633
C:\DOCS\39023.TXT
HGOVREF1
PsN: HGOVREF1
96
Mr. CLAY. Thank you, Mr. Swire.
Let me thank the entire panel for their testimony today.
We will begin the question period under the 5-minute rule, and
I will begin with a general question for everyone to comment on.
Many electronic health care tools such as electronic health records
and internet-based personal health records are available to consumers today. The country, however, is still lacking an established
nationwide approach for ensuring that personal health information
will be protected from inappropriate disclosure. Do you believe that
the implementation of health IT is beginning to out-pace the development of overall privacy policies and practices?
We will start with Ms. Grealy.
Ms. GREALY. Well, as I said, both from my experience as heading
up the Healthcare Leadership Council and formerly with the American Hospital Association, as well as my personal experience dealing with health care for my family, providers took the HIPAA privacy rule very, very seriously. They put in place compliance plans,
a lot of education, and this was throughout all of the covered entities, the various business associates. I am not sure we often recognize just how much went into making sure they understood the
HIPAA privacy rules and they were in compliance.
The rules are very complex. I just want to touch on, I think, the
approach that HHS and the Office of Civil Rights has taken is really the proper approach. They could have taken a gotcha approach,
and, you know, every time we find you have made just the slightest
error we are coming after you with civil and monetary penalties or
criminal penalties. I think, instead, what they did was to develop
a partnership. We want this rule to work, and so we have
partnered with providers and others to educate them.
Of the 27,000 complaints that have been registered, I think if
you delve into them, if you talk with the people at the Office of
Civil Rights you will find that many, many, the vast majority, were
really a misunderstanding of what was required by the privacy
rule. In fact, many times we have run into what I would call hypercompliance, where we have providers unwilling to share information with those who could benefit from it because they throw up
HIPAA doesnt allow me to do that. So we really have to strike that
appropriate balance.
As we move into the electronic world, security measures are in
place. I think we also sometimes lose sight that these electronic
medical records can be much more secure than the paper records
that have been sitting in file cabinets and physicians offices. Oftentimes you have no way of determining who has accessed those
records, unlike in the electronic world where you can establish an
audit trail. You can really determine who has accessed that and
whether it is appropriate. You can password protect it.
So I think we have a framework. We may have to modify it. You
can tell from the GAO testimony that there is a lot of work going
on at HHS, at AHIC, the National Committee on Vital Health Statistics, to determine what is appropriate in this electronic world.
But remember, this all started because people were concerned
about the electronic transmission of personally identifiable health
information. That is what started the HIPAA statute and resulted
in the HIPAA privacy rule. So I dont think we need a wholesale
VerDate 11-MAY-2000
14:45 Jan 14, 2008
Jkt 000000
PO 00000
Frm 00100
Fmt 6633
Sfmt 6633
C:\DOCS\39023.TXT
HGOVREF1
PsN: HGOVREF1
97
revision of it. We may need some tweaking of it. But I think right
now it is workable, and a lot of providers are spending a lot of time
and resources that dont go to direct patient care, but instead go
toward compliance. I think we have to be very, very careful in
terms of how we use those resources.
Mr. CLAY. Thank you, Ms. Grealy.
Mr. Pickard.
Mr. PICKARD. Yes. I would have to agree, and I think that it is
not a question of the technology but more about the actual policies.
I do believe that HIPAA has provided a good framework, and I
think where we run into challenges or where we will run into challenges are the other entities, the other types of entities outside of
the HIPAA boundaries, the covered entities that are now faced
with handling health information. So I believe that is probably
where we run into challenges associated with HIPAA. That, again,
kind of brings us back to an important point or important principle
within my testimony, and that is that the confidentiality and privacy protections follow the information, no matter where it goes or
where it resides or how it is accessed or handled.
Mr. CLAY. How about you, Mr. Swire?
Mr. SWIRE. Thank you, sir.
A fairly simple point. HIPAA came about when we made a shift
for payment records from paper to electronic, so you would file with
Medicare, insurance companies electronically, and Congress said in
1996 lets do privacy and security with that.
We are now in chapter two, and chapter two is the shift for clinical records, your x-rays and all the rest of those things, and we are
now building the systems for the first time to really move clinical
records, so we should build those systems right for this generation
like we tried to build systems right for the payments generation,
and that is our job together.
The easiest time to get privacy and security right is when you
build it the first time. It is much harder to patch later. That is
where Congress can take a leadership role and make sure we do
it.
Mr. CLAY. Thank you for that response.
Mr. Hodes.
Mr. HODES. Thank you, Mr. Chairman.
Professor Swire, I am interested in and appreciate your condensed version of arguments about preemption and what we might
lose by it, because really I think that goes to the heart of policy
issues that Congress is facing in dealing with the questions of a national health information network versus leaving it to what is
clearly a rapidly evolving patchwork of regulation. You point out
that we have HIPAA as, call it, a baseline, but that many States
havein fact, I think all the States have dealt with other medical
information of a very sensitive kind that HIPAA simply doesnt
deal with. So I take to heart your point about not rushing too
quickly to simply say HIPAA is the standard and that is the national standard and that is where we are leaving it.
If we were to look at the national picture, which I am sure you
have much more than I have, how would you balance, in looking
what the various States have done in terms of the issues you have
raised on pages three and four of your reportmental health
VerDate 11-MAY-2000
14:45 Jan 14, 2008
Jkt 000000
PO 00000
Frm 00101
Fmt 6633
Sfmt 6633
C:\DOCS\39023.TXT
HGOVREF1
PsN: HGOVREF1
98
records, HIV, and all thatif Congress was inclined to try to set
some national standard, mindful of your warnings? How would you
suggest we go about looking at what the States have done? Should
we simply say we are going to take the best standards from whichever State best protects privacy and security of people and that is
the one we are going to use for HIV, and similarly we are going
to look at mental health records and take the best one that we can
get from State B, and then we are going to incorporate it with this
other baseline and call it a Federal standard? What do you think?
Mr. SWIRE. Well, we could go on for quite some time
Mr. HODES. I know.
Mr. SWIRE [continuing]. To try to figure out how to do that,
but
Mr. HODES. I have only got 5 minutes.
Mr. SWIRE. I know, and I will try to do it in about four sentences.
Not really.
The first point is best does not mean stricter or less strict. You
cant avoid making some judgments here, so when it comes to HIV
data you have a public health issue if people wont get tested, and
if you repeal for big cities HIV protections you could face public
health risks, and that doesnt seem like a good idea to me.
But I think one step here is I think that HHS and the Government can play a much better role in helping us all understand
what the State laws are, and here is a specific thing. There is this
RTI studythat is the contractor for HHSand they have gone
and done studies of, I think, 34 States. I have been told by somebody who has been near the process that they are not planning to
release the surveys from the States to the public. It seems to me
if Government is going to spend contractor money to try to figure
out what all these State laws mean, they reduce compliance costs
for everybody if we get that information out to everybody, so just
a much better job of education and getting the information out
there so that people dont have to go to expensive law firms to try
to figure it out. That is one step toward knowing what needs to be
done.
Ms. GREALY. Congressman, I would like to comment
Mr. HODES. Please. Thank you.
Ms. GREALY [continuing]. Because we undertook one of those
very expensive studies, $1 million investment, to have a tool where
providers could check to see what is the State law, what is the variation. That still requires time. It is a lot of money to maintain that
system, and I dont think it addresses your question. I dont think
it really gives us a workable national standard. Just because we
have the information from the RTI study, we still have all this variation.
We dont have to sacrifice privacy to develop this standard. Again
I reference Section 6 in H.R. 4852, which really set out a process.
Lets look at the States, lets study the variation, and then come
up with recommendations as to what would be the appropriate rule
in those very sensitive areas. We have done it for mental health
to a certain degree in the HIPAA privacy rule, but we certainly
could improve it in those other areas.
Mr. HODES. Thank you.
Mr. Pickard, did you want to comment?
VerDate 11-MAY-2000
14:45 Jan 14, 2008
Jkt 000000
PO 00000
Frm 00102
Fmt 6633
Sfmt 6633
C:\DOCS\39023.TXT
HGOVREF1
PsN: HGOVREF1
99
Mr. PICKARD. No.
Mr. HODES. Thank you.
Mr. Chairman, I yield back. Thank you very much.
Mr. CLAY. Thank you for that line of questions.
I asked this question to GAO during the first panel and would
like to hear your thoughts on the topic. A significant problem with
HIPAA is that it does not cover all entities that possess or utilize
personal health information. Some life insurers and research entities not involved with the treatment of patients fall outside the
rules. In your work, have you analyzed this problem? And how significant is it, in your view?
Lets start with Mr. Swire.
Mr. SWIRE. OK. So this has to do with who should be covered entities, and the statute sets that forth. HHS doesnt have a lot of
wiggle room on that, so it would have to come from Congress.
I think that for life insurance it is not such a big program.
Graham-Leach-Bliley applies there. But in my testimony I point
out that if you say anything that touches medical data, like I buy
a breast cancer book for somebody on Amazon, we dont want to
suddenly have HIPAA kick in just because they mention the word
health, and so how to expand it is something that you have to be
careful about.
One area of concern is that public health agencies are not subject
to Federal laws, and law enforcement when it grabs health data,
and there may be some work to be done on the Governments side
to make sure that effective protections are in place, especially if
they are trying to gather lots of bio-surveillance kinds of things
going forward.
Mr. CLAY. Mr. Pickard.
Mr. PICKARD. Yes. If I could just say, that is an important question. I think that our association, AHIMA, strongly believes in harmonization of all of the privacy protections across all entities.
When you look at the personal health records, when HIPAA was
developed personal health records were barely being talked about.
In a university setting with student records there is a lack of harmonization, as I mentioned in my testimony, between the FERPA,
or Family Education Rights Privacy Act, and HIPAA. There are differences. And so I think it is an important question, and I think
that, again, I agree it is one that will require answers and consideration as we move forward.
Mr. CLAY. Thank you.
Ms. Grealy, any thoughts?
Ms. GREALY. Well, as always, it is a balancing question. We want
to make sure that we are not stifling innovation, as we have. I
mean, I think we are finally beginning to see patients becoming
more engaged in helping to manage their health care, and getting
them engaged with personal health records I think is a very positive thing. We want to make sure that they feel very secure when
they are sharing that information.
Now, is the best way to go about that, make everyone a covered
entity? Is it better to make them business associates? I think we
just have to make sure that the rules are clear, that we dont have
conflicting standards out there. So if you start expanding business
associates, making them covered entities, they may be in one sense
VerDate 11-MAY-2000
14:45 Jan 14, 2008
Jkt 000000
PO 00000
Frm 00103
Fmt 6633
Sfmt 6633
C:\DOCS\39023.TXT
HGOVREF1
PsN: HGOVREF1
100
a business associate, have to comply with a covered entitys rules,
but then in another setting they become a covered entity, and they
all hold a different set of standards.
So, again, we know that there is work going on in this area. I
know AHIC is looking at it. We are going to be testifying before
them on Friday. But, again, just carefully looking at those and
making sure that we are not getting into over-regulation and stifling the innovation that is really taking place out there.
I think one of the most important things I heard from the GAO
panel, and something that we really have to focus on, is educating
the public, communicating to them why do we want this information, but, more importantly, why is it good for you as a patient for
us to have this information. Why do we want it? How are we going
to share it? And how are we going to protect that information and
keep it secure? So they know under HIPAA and various State statutes we cant disclose it to their employer, we cant disclose it to
the newspaper, we cant disclose it to their neighbors. But we have
to assure people that it is important for their health and for the
health of future generations for us to have a workable privacy rule
that allows for the necessary flow of health information.
Mr. CLAY. Along those same lines, there is significant debate concerning the most effective way to obtain patient authorization for
the disclosure or sharing of personal health information. For a national health information network to be successful, doesnt it require a stronger uniform privacy standard that requires affirmative
consent from a patient for all information disclosure? And yes, we
can start with you. I would like to hear comments from the entire
panel.
Ms. GREALY. I have the great benefit of every once in a while getting out there and talking to the real people that are actually doing
this. I was just in Delaware, where they are doing a demonstration
project with a health information network. We talked about this.
Lets call it opt-in versus opt-out.
I am going around and asking this question: how would your
data exchange system work if it had to be an opt-in? If you are the
Mayo that has a century worth of data, longitudinal studies, how
would it work if you had to have an opt-in as opposed to you have
the information, you give people the opportunity to opt-out of it?
But if you had to go to each individual patient, to each individual
subject that you want included, and get their affirmative decision
to be included and to share their electronic medical record, I think
it would halt the system.
If we have to make a decision between the two, certainly opt-out
is going to be better.
Mr. CLAY. Mr. Pickard, any comments?
Mr. PICKARD. Yes. Again, I think this is probably an area where
AHIC is, in terms of their Privacy and Security Committee is looking into these types of issues.
I can tell you in the State of Tennessee, with our health information exchange we have run up against this very question or this
very issue, and we have put in protocols to enable patients to opt
in or opt out, and then certainly you have the whole concept of patient identification. But, again, I think it is an important issue.
Mr. CLAY. Mr. Swire.
VerDate 11-MAY-2000
14:45 Jan 14, 2008
Jkt 000000
PO 00000
Frm 00104
Fmt 6633
Sfmt 6633
C:\DOCS\39023.TXT
HGOVREF1
PsN: HGOVREF1
101
Mr. SWIRE. Thank you. So the one way this comes up is if somebody sees a psychiatrist or gets substance abuse or something else
and they say, look, I dont want this going out to everybody everywhere. So one idea of consent or authorization is some way for the
patient to say, hold on, not this.
I think it makes sense to a lot of people that some sort of permission for patients or some sort of control over that might make
sense.
Now, we can talk opt-in/opt-out. Some of the systems dont want
to have an opt at all. They just want to say we are going to sign
everybody up. I think that is a concern. So if you dont want to be
in at all, if you dont want to just sort of have my doctor puts everything in and I have no control over that, I dont think that is
the right place to be. The question is what point, for how many
choices, will a patient have any say.
I worked on Markles Connecting for Health Task Force, and
they have a write-up on this that I think goes through it in a sensible way, and I think you end up with an opt out where that is
realistic where patients say, look, it generally goes in, but if I say
it doesnt we should try to build it so it doesnt go in.
Mr. CLAY. Just to pause after hearing the three different responses, what is the damage? What is the harm if someone other
than a health care provider gets a copy of an x-ray or they get a
record of a prescription? What do you think the harm is?
Ms. GREALY. I think the concern is that the health care provider
might not get the x-ray. I mean, I am not even talking about disclosures to those that really shouldnt have the information. We are
talking about patients saying, no, provider, the physician treating
me cannot have this information. So we have to be very, very cautious, again, in that balance of making sure, and there may be a
system of, you know, flagging it so the physician knows I dont
have all the information, I had better check with this patient.
I am not sure how that translates when we are trying to build
data bases to improve the quality of health care, to improve treatment for disease, if we have a lot of critical missing information.
Mr. CLAY. Well, like the example you use in your testimony, the
pharmacist should have relayed to both physicians for your father
what medicines?
Ms. GREALY. If this were something that he was getting at a
pharmacy, you are right. CVS, one of our members, they have gone
electronic, so they can do those alerts. But these were services,
these were hormone shots, one being given in the oncologists office
and the other being part of the dialysis center treatment. There is
no pharmacist in the picture, no electronic medical record to exchange that information, and so no way to alert.
Mr. CLAY. Mr. Pickard, any thoughts?
Mr. PICKARD. Again, I thinkand I said this in my testimony
I think we need to move away from thinking about the type of information and the entity and make sure that the privacy protections do follow the health information wherever it resides.
Let me just share. If I am an employee, I want the capability to
opt out and to perhaps not have my employer have certain types
of information. This is particularly important in todays environment where a lot of employers or insurances, for that matter, are
VerDate 11-MAY-2000
14:45 Jan 14, 2008
Jkt 000000
PO 00000
Frm 00105
Fmt 6633
Sfmt 6633
C:\DOCS\39023.TXT
HGOVREF1
PsN: HGOVREF1
102
developing personal health record tools for employees or subscribers. I think as an employee or an insurance subscriber, I should
have that right to opt out of that.
Mr. SWIRE. Just one point to add on is that some of the most sensitive kinds of data that I have been talking about, the mental
health and substance abuse, genetic, or whatever, are only protected by State law, so even if x-rays arent, these other things are
only protected by State law, and if we were to harmonize at the
national baseline then those psychiatric notes, the substance abuse
things, and the rest could be going through the system, and that
is a reason not to preempt too strictly or not to preempt at a low
level.
Mr. CLAY. Let me ask this. This is a question for the entire
panel. There have been long-term concerns on how health information is treated differently under institutions that are also covered
under different privacy regulations, such as Family Educational
Rights and Privacy Act of 1974. Under the privacy rule, records
protected by FERPA are not covered by the privacy rule; therefore,
even if the information contained in an education record is health
related, the privacy rule does not apply.
Is this an area where conflicts ought to be addressed in order to
harmonize the way in which patient information is protected?
Ms. Grealy, we will ask you first.
Ms. GREALY. Well, I think one of the things that those that actually have to do compliance are always looking for is; give me uniformity. Make it simple. Dont have one set of standards here, another set of standards there. So I think any way we can harmonize
these requirements is a positive thing.
Mr. CLAY. Mr. Pickard.
Mr. PICKARD. I agree. And let me just share, working in a university, you know, we interact and deal with both HIPAA regulations as well as FERPA regulations, and if I am a student and lets
say if I have a medical condition that requires me to live off campus, I have to submit what actually becomes part of my academic
record health information, and there is a lack of standardization in
terms of how that information may or may not be handled. So I
agree. I think there needs to be a harmonization across all of these
different laws.
Mr. Swire.
Mr. SWIRE. I am going to disagree on the FERPA one. I will just
explain why. That was an issue that I worked on extensively during the rule and the comments from the schools, associations, and
the rest. The logic at the timeand maybe it is different today
was with school nurses in high schools all over the country, rural
grade schools, all the rest, if we harmonized to HIPAA, which is
what AHIMA recommends and is worth considering, if we harmonize to HIPAA then the school nurse in that grade school out
in a rural area would have to do full HIPAA compliance. And it
wasnt clear that was the big risk, and it was clear that there
would be a whole compliance thing to do if that happened.
So the idea there was we thought that there was a pretty reasonable FERPA regime in place, that the school nurses shouldnt suddenly have to do more, and that was a sensible way to go.
VerDate 11-MAY-2000
14:45 Jan 14, 2008
Jkt 000000
PO 00000
Frm 00106
Fmt 6633
Sfmt 6633
C:\DOCS\39023.TXT
HGOVREF1
PsN: HGOVREF1
103
Now, it does mean that universities like Vanderbilt get a double
whammy, because they get students and then they get some other
folks who are HIPAA, and suddenly they get both. In some ways
maybe Vanderbilt people are so smart they can handle it, but
maybe not every school nurse has to do HIPAA.
So I am not really sure how you harmonize, because if you harmonize that everybody is HIPAA, then it is the school nurses of
America that will be here next time.
Mr. CLAY. Speaking of universities, Mr. Swire, I will ask you and
then go down the line. Mr. Mark Rothstein of the University of
Louisville has written extensively on the use of compelled authorizations for personal health information by employers for job applicants, life insurers for those applying for coverage, and other noncovered entities. If the current privacy rule does not regulate PHI
once it is released to a third-party entity not covered under the
rule, shouldnt we re-examine who will be covered when receiving
electronic health information?
Mr. SWIRE. That is a great question, and it wouldnt be easy to
legislate, but here are a couple of points that come up.
So right now you cant have compelled authorizations for health
care providers. If you show up at the ER and you are rolling in on
the gurney, they cant say, sign here or we wont treat you, and you
sign away everything. That is in HIPAA.
The thing was, when HIPAA rules were written, HHS could do
thatthat is covered entitiesbut HHS had no jurisdiction over
the employers of America. That just wasnt in the statute, so there
was no choice in writing the rule about what to do for employers.
That is a choice that only Congress can decide to step into.
If you want to say, as Congress, we are going to treat the employers the way we treat the hospitals, you cant require these authorizations as a condition of being employed here, that is a decision Congress can make. You are going to hear it from the employers. And sometimes employers will say we need this to figure out
if they can lift the heavy loads or we need it for some other jobrelated thing. But that is what you would have to work through,
and it would have to be statute. It cant be by reg.
Any comments on that, Mr. Pickard?
Mr. PICKARD. Yes. We are seeing many, many different types of
entities outside of the HIPAA-covered entities and business associates that are handling health information. Again, this goes back to
our principles I shared earlier, and that is that we really look to
confidentiality protections following the health information, no
matter where it resides, and there needs to be a national floor for
handling health information.
Mr. CLAY. OK. Ms. Grealy.
Ms. GREALY. I talked with a few of, I think, entities that people
are referring to. Revolution Health Care is one that is really getting into working with consumers, developing a personal health
record that they can access through the internet. They have a contractual relationship with the consumers that they are dealing
with, and they say that they are HIPAA compliant, even though
they are not a covered entity; that they feel it is a good business
practice. They want the trust of the consumers that they are deal-
VerDate 11-MAY-2000
14:45 Jan 14, 2008
Jkt 000000
PO 00000
Frm 00107
Fmt 6633
Sfmt 6633
C:\DOCS\39023.TXT
HGOVREF1
PsN: HGOVREF1
104
ing with, and it is in their best interest to make sure that they
have a high level of security and protecting that information.
So I think all of us have mentioned we know that AHIC, HHS,
and others are really exploring these issues, and I think that is
really the appropriate place; that we need to look at it carefully;
make sure, as I said earlier, that we are not stifling innovation by
expanding the reach of a heavy regulatory scheme; and make sure
that it is balanced well, because I dont think we want to snuff out
the innovation that is going on out there, but we do want to make
sure that this information is protected.
Mr. CLAY. All right. Thank you.
Let me thank the entire panel for their testimony and their answers. We have certainly covered some ground today. This is a very
complex issue. As the Congress takes this issue on of health information technology and how we actually protect the privacy of citizens throughout this country, patients, we will certainly rely on
your expertise, and this hearing has been helpful in shedding light
on this. Let me again thank you all for your testimony today.
That concludes this hearing.
[Whereupon, at 3:30 p.m., the subcommittee was adjourned.]
[Additional information submitted for the hearing record follows:]
VerDate 11-MAY-2000
14:45 Jan 14, 2008
Jkt 000000
PO 00000
Frm 00108
Fmt 6633
Sfmt 6633
C:\DOCS\39023.TXT
HGOVREF1
PsN: HGOVREF1
105
VerDate 11-MAY-2000
14:45 Jan 14, 2008
Jkt 000000
PO 00000
Frm 00109
Fmt 6633
Sfmt 6633
C:\DOCS\39023.TXT
HGOVREF1
PsN: HGOVREF1
106
VerDate 11-MAY-2000
14:45 Jan 14, 2008
Jkt 000000
PO 00000
Frm 00110
Fmt 6633
Sfmt 6633
C:\DOCS\39023.TXT
HGOVREF1
PsN: HGOVREF1
107
VerDate 11-MAY-2000
14:45 Jan 14, 2008
Jkt 000000
PO 00000
Frm 00111
Fmt 6633
Sfmt 6633
C:\DOCS\39023.TXT
HGOVREF1
PsN: HGOVREF1
108
VerDate 11-MAY-2000
14:45 Jan 14, 2008
Jkt 000000
PO 00000
Frm 00112
Fmt 6633
Sfmt 6633
C:\DOCS\39023.TXT
HGOVREF1
PsN: HGOVREF1
109
VerDate 11-MAY-2000
14:45 Jan 14, 2008
Jkt 000000
PO 00000
Frm 00113
Fmt 6633
Sfmt 6633
C:\DOCS\39023.TXT
HGOVREF1
PsN: HGOVREF1
110
VerDate 11-MAY-2000
14:45 Jan 14, 2008
Jkt 000000
PO 00000
Frm 00114
Fmt 6633
Sfmt 6633
C:\DOCS\39023.TXT
HGOVREF1
PsN: HGOVREF1
111
VerDate 11-MAY-2000
14:45 Jan 14, 2008
Jkt 000000
PO 00000
Frm 00115
Fmt 6633
Sfmt 6633
C:\DOCS\39023.TXT
HGOVREF1
PsN: HGOVREF1
112
VerDate 11-MAY-2000
14:45 Jan 14, 2008
Jkt 000000
PO 00000
Frm 00116
Fmt 6633
Sfmt 6011
C:\DOCS\39023.TXT
HGOVREF1
PsN: HGOVREF1

House Hearing, 110TH Congress - Protecting Patient Privacy in Healthcare Information Systems

Загружено:

Сведения о документе

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

House Hearing, 110TH Congress - Protecting Patient Privacy in Healthcare Information Systems

Загружено:

Авторское право:

Доступные форматы

PROTECTING PATIENT PRIVACY IN HEALTHCARE

SUBCOMMITTEE ON INFORMATION POLICY,

Serial No. 11033

For sale by the Superintendent of Documents, U.S. Government Printing Office

14:45 Jan 14, 2008

COMMITTEE ON OVERSISGHT AND GOVERNMENT REFORM

INFORMATION POLICY, CENSUS,

WM. LACY CLAY, Missouri, Chairman

14:45 Jan 14, 2008

Hearing held on June 19, 2007 ...............................................................................

14:45 Jan 14, 2008

14:45 Jan 14, 2008

PROTECTING PATIENT PRIVACY IN

14:45 Jan 14, 2008

14:45 Jan 14, 2008

14:45 Jan 14, 2008

14:45 Jan 14, 2008

14:45 Jan 14, 2008

Ms. MELVIN. Thank you, Mr. Chairman and Ranking Member

14:45 Jan 14, 2008

14:45 Jan 14, 2008

14:45 Jan 14, 2008

14:45 Jan 14, 2008

14:45 Jan 14, 2008

14:45 Jan 14, 2008

14:45 Jan 14, 2008

14:45 Jan 14, 2008

14:45 Jan 14, 2008

14:45 Jan 14, 2008

14:45 Jan 14, 2008

14:45 Jan 14, 2008

14:45 Jan 14, 2008

14:45 Jan 14, 2008

14:45 Jan 14, 2008

14:45 Jan 14, 2008

14:45 Jan 14, 2008

14:45 Jan 14, 2008

14:45 Jan 14, 2008

14:45 Jan 14, 2008

14:45 Jan 14, 2008

14:45 Jan 14, 2008

14:45 Jan 14, 2008

14:45 Jan 14, 2008

14:45 Jan 14, 2008

14:45 Jan 14, 2008

14:45 Jan 14, 2008

14:45 Jan 14, 2008

14:45 Jan 14, 2008

14:45 Jan 14, 2008

14:45 Jan 14, 2008

14:45 Jan 14, 2008

14:45 Jan 14, 2008

14:45 Jan 14, 2008

14:45 Jan 14, 2008

14:45 Jan 14, 2008

14:45 Jan 14, 2008

14:45 Jan 14, 2008

14:45 Jan 14, 2008

14:45 Jan 14, 2008

14:45 Jan 14, 2008

14:45 Jan 14, 2008

14:45 Jan 14, 2008

14:45 Jan 14, 2008